Re: Call for tests: pkg_install-renovation

On Mon, May 26, 2008 at 11:26:08AM +0200, Hubert Feyrer wrote:
> On Sun, 25 May 2008, Joerg Sonnenberger wrote:
>> To sign a package, use
>> pkg_admin sign-package pkg.tgz signed/pkg.tgz \
>> .../private/cakey.pem .../newcerts/00.pem
>
> cool... personally I'd expect that functionality in pkg_create instead of
> pkg_admin. maybe that can be moved?
It takes an existing package and I would prefer to keep pkg_create
focused on that part. It is bad enough that it has to provide the logic
for registering as well.
Another good reason to keep it in pkg_admin: you also need support to
check the signature and that doesn't make any sense in pkg_create :-)
>> The signature check is enabled by setting VERIFIED_INSTALLATION
>> accordingly.
>
> In the environment, I guess?
Currently only in pkg_install.conf. Man page is about to be committed.
I would prefer to not have to look in the environment, but I am open on
that question.
> Can you tell how to do the verification "manually" (using openssl?)
> for all our openssl-neophytes out there that don't want to install a
> package (or even run netbsd/pkgsrc) to check the signature?
It is a bit tricky as the signatures are created in a way to allow
streaming installation from FTP. A signed package is normally an
ar(1)chive, containing three entries:
+PKG_HASH
+PKG_SIGNATURE
pkg.tgz
(the latter just named after the package). It doesn't really really if
it is ar(1) or some other supported archive format, but it does care
about the order.
The third file should be obvious. The second file is the PKCS7 signature
of the first, it can be validated e.g. with nbsvtool(1). The first file
is the description of the package. It looks for example like:
--- cut here ---
pkgsrc signature
version: 1
pkgname: digest-20070803
algorithm: SHA512
block size: 65536
file size: 36854
4ba682e9c01e6fc31d5e8e84cb6d4a8b0c85f9df0f7cd30510ec2ee30d48b598a7e3b8adfa2ca06df5a48b22a0831ab89367e8a81f40366055a39f45728139a3
end pkgsrc signature
--- cut here ---
The last part before "end pkgsrc signature" is the hash of each blocks.
Validated this is the tricky part, it will require some use of split(1)
or so :-) It is not recommented to create the files by hand as the
parser is pretty dumb^Wstrict.
Joerg